---

# Some files need to be made readable by lighttpd using the ACLs, so we need to
# set the mode 0640 (the group mode means mask).

- name: copy httpd ssl certificates
  copy: src="{{ private }}/files/httpd/{{ item.file }}"
        dest="/etc/lighttpd/{{ item.file }}" owner=root group=root
        mode={{ item.mode | default('0600') }}
  with_items:
  - file: copr-be.cloud.fedoraproject.org.key
  - file: copr-be.cloud.fedoraproject.org.cert
  - file: copr-be.cloud.fedoraproject.org.pem
    mode: "0640"
  - file: copr-be.cloud.fedoraproject.org.intermediate.cert
    mode: "0640"
  - file: copr.fedorainfracloud.org.key
  - file: copr.fedorainfracloud.org.crt
  - file: copr.fedorainfracloud.org.pem
  - file: copr.fedorainfracloud.org.intermediate.crt
  notify:
  - restart lighttpd
  tags:
  - config
  - config_httpd_certificates

# When we do 'systemctl restart', lighttpd is initially started as "root"
# process (when the config is loaded) and later it does setuid(lighttpd).
# So "restart" is just fine.   Though we also do 'killall -HUP lighttpd' in
# several occasions and then 'lighttpd' user needs to have the access.  See the
# following issues:
#   https://pagure.io/copr/copr/issue/2001 Resolves:
#   https://pagure.io/fedora-infrastructure/issue/10391
# Note that the items here must match the configuration in lighttpd.conf!
- name: allow lighttpd to read the certificates
  acl:
    path: "{{ item.0 }}"
    etype: "{{ item.1.etype }}"
    entity: "{{ item.1.entity }}"
    permissions: "{{ item.1.permissions }}"
    state: present
  loop: "{{ files|product(perms)|list }}"
  vars:
    files:
      - "/etc/lighttpd/copr-be.cloud.fedoraproject.org.pem"
      - "/etc/lighttpd/copr-be.cloud.fedoraproject.org.intermediate.cert"
    perms:
      # make sure the default 'root' group has '---' perms
      - etype: group
        permissions: "---"
        entity: null
      # and grant lighty the read access
      - etype: user
        entity: lighttpd
        permissions: "r--"

  tags:
  - config
  - config_httpd_certificates
